[arch-general] systemd sessions, su -l, and access to /dev/
Hello. I asked about this in the forum. But it looks like this is a better place to discuss systemd-related issues. If I login to user1 or user2 then try to play audio which requires access to /dev/snd/* , proper access to the logged in user is set by the session and everything works correctly. But, if I login to user1 then su to user2, audio wouldn't work because access permissions are assigned to the session user only (user1). Any idea how to fix this issue?
On Fri, Nov 23, 2012 at 01:15:29AM +0300, MSal wrote:
Hello.
I asked about this in the forum. But it looks like this is a better place to discuss systemd-related issues.
If I login to user1 or user2 then try to play audio which requires access to /dev/snd/* , proper access to the logged in user is set by the session and everything works correctly.
But, if I login to user1 then su to user2, audio wouldn't work because access permissions are assigned to the session user only (user1).
Any idea how to fix this issue?
This is not really systemd but logind meddling with device permissions to enforce its 'seat' and 'session' security scheme. Quoting Tom G.: A brute-force way to avoid all of that is to "mask" it. I.e., symlink /etc/udev/rules.d/70-uaccess.rules to /dev/null. Then use udev to assign group rights on audio devices to the 'audio' group, make sure that users who need audio are members of that group, and things will work as you want. Ciao, -- FA A world of exhaustive, reliable metadata would be an utopia. It's also a pipe-dream, founded on self-delusion, nerd hubris and hysterically inflated market opportunities. (Cory Doctorow)
On Fri, Nov 23, 2012 at 11:20:31AM +0000, Fons Adriaensen wrote:
On Fri, Nov 23, 2012 at 01:15:29AM +0300, MSal wrote:
Hello.
I asked about this in the forum. But it looks like this is a better place to discuss systemd-related issues.
If I login to user1 or user2 then try to play audio which requires access to /dev/snd/* , proper access to the logged in user is set by the session and everything works correctly.
But, if I login to user1 then su to user2, audio wouldn't work because access permissions are assigned to the session user only (user1).
Any idea how to fix this issue?
This is not really systemd but logind meddling with device permissions to enforce its 'seat' and 'session' security scheme.
It's all a part of systemd.
Quoting Tom G.:
A brute-force way to avoid all of that is to "mask" it. I.e., symlink /etc/udev/rules.d/70-uaccess.rules to /dev/null.
Then use udev to assign group rights on audio devices to the 'audio' group, make sure that users who need audio are members of that group, and things will work as you want.
I was hoping for a cleaner solution. Maybe group session support where ACLs are applied on groups instead of users! Using ACLs for users only and voiding the historical support for groups is hardly progress. Or maybe I'm missing something. 70-uaccess.rules is not a backup file and AFAIK any modifications will be overwritten in the next update. I commented the line: SUBSYSTEM=="sound", TAG+="uaccess" and re-added the audio group as a workaround for now.
70-uaccess.rules is not a backup file and AFAIK any modifications will be overwritten in the next update.
Look up the NoUpgrade and NoExtract options in pacman.conf(5) :)
On Sat, Nov 24, 2012 at 08:26:00AM -0500, Zeke Sulastin wrote:
70-uaccess.rules is not a backup file and AFAIK any modifications will be overwritten in the next update.
Look up the NoUpgrade and NoExtract options in pacman.conf(5) :)
Still not a clean solution, IMHO. I want to deviate as little as possible from upstream/packaged configs. NoUpgrade means I'll be stuck with the current config file which might not be optimal 5 upgrades from now. Or even worse, it could become problematic.
On Fri, 23 Nov 2012 21:33:23 +0300 MSal <msal@tormail.org> wrote:
70-uaccess.rules is not a backup file and AFAIK any modifications will be overwritten in the next update.
I have no /etc/udev/rules.d/70-uaccess.rules on my system, i do have a /usr/lib/udev/rules.d/70-uaccess.rules though. I think creating the /etc/udev/rules.d/70-uaccess.rules to /dev/null symlink will override the standard rule and will not be overwritten by upgrading the udev package. -- Joakim
On Sat, Nov 24, 2012 at 02:48:14PM +0100, Joakim Hernberg wrote:
On Fri, 23 Nov 2012 21:33:23 +0300 MSal <msal@tormail.org> wrote:
70-uaccess.rules is not a backup file and AFAIK any modifications will be overwritten in the next update.
I have no /etc/udev/rules.d/70-uaccess.rules on my system, i do have a /usr/lib/udev/rules.d/70-uaccess.rules though. I think creating the /etc/udev/rules.d/70-uaccess.rules to /dev/null symlink will override the standard rule and will not be overwritten by upgrading the udev package.
If /etc/udev/rules.d/70-uaccess.rules would be applied on top of /usr/lib/udev/rules.d/70-uaccess.rules , that would have been great. As one can try to revese the undesired rule and still incorporate all upgrades. But cancelling all the rules is a no go for me as I don't want to be running an almost unique setup just because udev/systemd/loginctl didn't think of group permissions. If systemd developers thought of supporting ACLs based on GIDs at least, this would have been a no issue.
On Sat, Nov 24, 2012 at 12:52 PM, MSal <msal@tormail.org> wrote:
On Sat, Nov 24, 2012 at 02:48:14PM +0100, Joakim Hernberg wrote:
On Fri, 23 Nov 2012 21:33:23 +0300 MSal <msal@tormail.org> wrote:
70-uaccess.rules is not a backup file and AFAIK any modifications will be overwritten in the next update.
I have no /etc/udev/rules.d/70-uaccess.rules on my system, i do have a /usr/lib/udev/rules.d/70-uaccess.rules though. I think creating the /etc/udev/rules.d/70-uaccess.rules to /dev/null symlink will override the standard rule and will not be overwritten by upgrading the udev package.
If /etc/udev/rules.d/70-uaccess.rules would be applied on top of /usr/lib/udev/rules.d/70-uaccess.rules , that would have been great. As one can try to revese the undesired rule and still incorporate all upgrades. But cancelling all the rules is a no go for me as I don't want to be running an almost unique setup just because udev/systemd/loginctl didn't think of group permissions.
If systemd developers thought of supporting ACLs based on GIDs at least, this would have been a no issue.
Just to be clear, this isn't something the systemd developers came up with. ConsoleKit was responsible applying the same ACLs for local sessions before. It allows user-switching to work as expected by removing permissions when the session isn't active.
Just to be clear, this isn't something the systemd developers came up with.
ConsoleKit was responsible applying the same ACLs for local sessions before.
To give credit where it's due thoough I could me misremembering, but don't CK and systemd share the same developers? CK was their first go at session permission management - as of spring 2011 or so they deprecated CK and absorbed its functionality into systemd / logind. gene/
On Sun, Nov 25, 2012 at 12:27:01PM -0500, Genes MailLists wrote:
Just to be clear, this isn't something the systemd developers came up with.
ConsoleKit was responsible applying the same ACLs for local sessions before.
To give credit where it's due thoough I could me misremembering, but don't CK and systemd share the same developers? CK was their first go at session permission management - as of spring 2011 or so they deprecated CK and absorbed its functionality into systemd / logind.
gene/
Same developers? Not really[0]. Same company? Sure, Red Hat gets their paws on a lot of widely used Linux software (including being the largest corporate contributor to the kernel, at least in 2011). [0] http://cgit.freedesktop.org/ConsoleKit/log/ d
On 11/25/2012 12:38 PM, Dave Reisner wrote:
Same developers? Not really[0]. Same company? Sure, Red Hat gets their paws on a lot of widely used Linux software (including being the largest corporate contributor to the kernel, at least in 2011).
[0] http://cgit.freedesktop.org/ConsoleKit/log/
d
Well I did suspect my memory was off - thanks for correcting ... shows clearly the initial git snap was 2006 or so ... and some of the systemd devs didn't get involved till a long while later. Thanks for clarifying the historical record ... gene
On Sat, Nov 24, 2012 at 02:48:14PM +0100, Joakim Hernberg wrote:
On Fri, 23 Nov 2012 21:33:23 +0300 MSal <msal@tormail.org> wrote:
70-uaccess.rules is not a backup file and AFAIK any modifications will be overwritten in the next update.
I have no /etc/udev/rules.d/70-uaccess.rules on my system, i do have a /usr/lib/udev/rules.d/70-uaccess.rules though. I think creating the /etc/udev/rules.d/70-uaccess.rules to /dev/null symlink will override the standard rule and will not be overwritten by upgrading the udev package.
That's correct. When a file in /etc/udev/rules.d exists the one with the same name in /usr/lib/udev/rules.d wont' be used. And the one in /etc won't be affected by upgrades. So the symlink to /dev/null in /etc will prevent devices being tagged with 'uaccess' and then logind will leave them alone. So, it is sort of a solution, but it looks fragile to me, and I'd much prefer being able to configure logind to not use the 'seat' and 'session' model. No program should define such a policy on its own and have it hardcoded. Ciao, -- FA A world of exhaustive, reliable metadata would be an utopia. It's also a pipe-dream, founded on self-delusion, nerd hubris and hysterically inflated market opportunities. (Cory Doctorow)
On Nov 23, 2012 12:21 AM, "MSal" <msal@tormail.org> wrote:
I asked about this in the forum. But it looks like this is a better place to discuss systemd-related issues.
If I login to user1 or user2 then try to play audio which requires access to /dev/snd/* , proper access to the logged in user is set by the session and everything works correctly.
But, if I login to user1 then su to user2, audio wouldn't work because access permissions are assigned to the session user only (user1).
Any idea how to fix this issue?
Could you elaborate a bit on what you are trying to do? (there might be a better way without using 'su'. The behaviour you are getting is by design, so there is nothing really to fix. However, you can of course make the system behave the way you want: Either, assign your devices to the audio group and the same with your users. Or add systemd_pam to the su pam file. This will create a new session for you when you use su and should therefore adjust the ACLs accordingly. HTH, Tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I had the problem on 2 arch boxes that sound generally didn't work when using gdm. Sound also stopped when I e.g. switched to another tty, independend from if gdm was active or if I started gnome from console via startx. I fixed both issues with adding myself to the audio group without changing anything in /etc/dev/rules.d or similar things. It seems to me that it was also an issue with sessions: According to the journal, gdm starts using session 1 but a new session 2 is opened for $user after login. ~Jakob -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQsRMqAAoJEOl7hkDId7Ym+iEQAJ3II8iqPsPE7FNcy6862yt6 mDcFoQxw0kmV8OG8ivB9JkSsYEOcTCIlSzHOQX0WhDxJuzTSKpCPS906obdc97Dj 2/GQWVy9LXbF9ZLMm+yjGQpbWdbM3NdyJ6c4NWyLV7zqE2L8lK1+AVxe1gmNi/v0 4hRVRylNZ2vodI/wPVFugXgGkUnX4VY8v8nFO+SSlyJdOMmMA8iJDVi5s65gw/24 44KJ7IzpDGsN9PZhF/AqcSrBAGWOToAjeqLcKxM0oIr6OSUj/VSfR7D4Py+bTp/i tJhgHRmB46LP+QLcwBwPXJMC/r+F0qE+OFDCxpRVvyty3PTIWqRSIQJthbZ+Yf6K OSjvlUlVobhdYdfwzK5BRSt30FK/rQ6quEuYLC1fUkORePLjxnoQ/OyL9a9O7+nE 3/xYWzQpL8+vu5CG2LyZUsz/1f/jz7r847vS/J0n9zh3gJRHN9u7epdHfpLmYWrp mkD7BDs6lRs1uo67rDMG3f3VtBZzfVKKNBFppLiMdfuUHqxpzHCFap/hUZ98hEyE tER8BsXYINLkZM+TSivcX6/stDA83tPInUZCcroZnpUYvT41vhlJsuG/sVEl0pQ6 VBEKvuhNyaDSjT2ai6TrALUiZNUsaJa187z4XvSVJBZql3YErsF/n+IDj21OCrQw 5kxVumvw5Olg5bb9kqU9 =Lrtu -----END PGP SIGNATURE-----
On Sat, Nov 24, 2012 at 07:00:10PM +0100, Tom Gundersen wrote:
On Nov 23, 2012 12:21 AM, "MSal" <msal@tormail.org> wrote:
I asked about this in the forum. But it looks like this is a better place to discuss systemd-related issues.
If I login to user1 or user2 then try to play audio which requires access to /dev/snd/* , proper access to the logged in user is set by the session and everything works correctly.
But, if I login to user1 then su to user2, audio wouldn't work because access permissions are assigned to the session user only (user1).
Any idea how to fix this issue?
Could you elaborate a bit on what you are trying to do? (there might be a better way without using 'su'.
The behaviour you are getting is by design, so there is nothing really to fix. However, you can of course make the system behave the way you want:
Either, assign your devices to the audio group and the same with your users.
.....
Or add systemd_pam to the su pam file. This will create a new session for you when you use su and should therefore adjust the ACLs accordingly.
pam_systemd is exactly what I was looking for. It works with systemd's/logind's upstream behaviour instead of working around it. For reference, I added the following 2 lines to both /etc/pam.d/su{,-l} as I want a unified behaviour for all su invocations. Both files are backup which is an added plus: session required pam_loginuid.so session required pam_systemd.so kill-session-processes=1 Warning: This will break su in already-open sessions. Note: "pam_loginuid.so" is an absolute requirement for this use-case not just a recommendation. Check out `man 8 pam_systemd` and `man 8 pam_loginuid` for more info.
participants (9)
-
Daniel Micay
-
Dave Reisner
-
Fons Adriaensen
-
Genes MailLists
-
Jakob Herrmann
-
Joakim Hernberg
-
MSal
-
Tom Gundersen
-
Zeke Sulastin